secure routing in multi-hop wireless networks (i)
DESCRIPTION
Secure routing in multi-hop wireless networks (I). ad hoc network routing protocols; attacks on routing; countermeasures;. outline. 1 Routing protocols for mobile ad hoc networks 2 Attacks on ad hoc network routing protocols 3 Security countermeasures for ad hoc network routing protocols. - PowerPoint PPT PresentationTRANSCRIPT
Security and Cooperation in Wireless NetworksSecurity and Cooperation in Wireless Networks Georg-August University Göttingen
Secure routing in multi-hop wireless Secure routing in multi-hop wireless networks (I)networks (I)
ad hoc network ad hoc network routing protocols;routing protocols;
attacks on routing;attacks on routing;
countermeasures;countermeasures;
Georg-August University GöttingenSecure routing in multi-hop wireless networks
outline
1 Routing protocols for mobile ad hoc networks2 Attacks on ad hoc network routing protocols3 Security countermeasures for ad hoc network routing protocols
2
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Ad hoc network routing protocols
topology-based protocols– Proactive:
• Every node knows a route to all other nodes at any time– distance vector based (e.g., DSDV)– link-state (e.g., OLSR)
• Requires periodic exchange of routing information among the nodes• If only few pairs of nodes communicate to each other, then most of
the periodically exchanged information is useless (never used)• But since the routes are always available and up-to-date, packets can
be sent with no routing delay (no need to wait until a route is found)
– reactive (on-demand):• A route is established between a source and a destination
only when needed– distance vector based (e.g., AODV)– source routing (e.g., DSR)
• Nodes use their resources to find routes only when there are data packets to be sent
3
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Ad hoc network routing protocols
– hybrid approaches• Try to combine the advantages of reactive and proactive routing
protocols • Use proactive approach to maintain routes from a node to its
local neighborhood (e.g. up to certain number of hops) and use reactive approaches when routes to far away nodes are required
position-based protocols– Use location information of the nodes to route data packets
• greedy forwarding (e.g., GPSR, GOAFR)• restricted directional flooding (e.g., DREAM, LAR)
– Each node is aware of its own location and obtains the location information of other nodes via a location service provided by the nodes in a distributed manner
– The sender obtains the location information of the destination node and puts it in the data packet; each intermediate node makes routing decisions based on its own location and the location of the destination node
4
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Example: Dynamic Source Routing (DSR)
DSR is an on-demand source routing protocol
As in any other on-demand routing protocol it has two components:– route discovery
• used only when source node attempts to send a packet to the destination node
• based on flooding of Route Requests (RREQ) and returning Route Replies (RREP)
– route maintenance• makes the source node able to detect route errors, e.g., if
a link along that route no longer works (usually because of nodes’ movement)
5
Georg-August University GöttingenSecure routing in multi-hop wireless networks
DSR Route Discovery
Assume that node A has some data packets to send to node H and has no route to it in its routing table it initiates and broadcasts a RREQ message; a RREQ carries a request identifier (to prevent
other nodes from proceeding the same RREQ more than once), the IDs of A and H and an empty list of forwarding nodes
Each intermediate node adds its ID to the list until the RREQ is received by H and will be replied by a RREP message
6
Georg-August University GöttingenSecure routing in multi-hop wireless networks
DSR Route Discovery
Node A wants to transmit some data packets to node H. It initiates a RREQ packet which will be broadcasted by the
nodes who receive it. When node H receives the RREQ it initiates a RREP packet. H copies the recorded list of identifiers from the RREQ to the
RREP.
7
A
B
C
D
E
F
G
H
A *: [RREQ, id, A, H; ()]B *: [RREQ, id, A, H; (B)]C *: [RREQ, id, A, H; (C)]D *: [RREQ, id, A, H; (D)]E *: [RREQ, id, A, H; (E)]F *: [RREQ, id, A, H; (E, F)]G *: [RREQ, id, A, H; (D,G)]( )
( )( )
( )
(D)
(E)
(D, G)
(E, F)
H A: [RREP, <source route>; (E, F)]
Georg-August University GöttingenSecure routing in multi-hop wireless networks
DSR Route Discovery
<source route> is the route used to send the packet back to A which could be obtained:
– from the route cache of H (means if H already had a route to A in its route cache)
– by reversing the route received in the RREQ• works only if all the links along the discovered
route are bidirectional• IEEE 802.11 assumes that links are bidirectional
– by executing a route discovery from H to A• discovered route from A to H is piggy backed to
avoid infinite recursion
8
Georg-August University GöttingenSecure routing in multi-hop wireless networks
DSR Route Maintenance
DSR requires each intermediate node to make sure that the data packet that it is forwarding reaches the next hop:– Data link layer acknowledgements can be used; or
overhearing the transmission of the packet by next intermediate node
If no acknowledgement arrives for a given packet, the intermediate node tries to re-transmit the packet
If still no acknowledgement arrives for that packet, the intermediate node generates a route error message and sends it to the source of the packet
The source and the other intermediate nodes who forward the error message would invalidate the routes that contain this broken link
9
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Example: Ad-hoc On-demand Distance Vector routing (AODV) on-demand distance vector routing
the nodes maintain routing tables A RREQ contains: IDs of the sender and the
destination, a hop count, a packet identifier, two sequence numbers: current sequence number of the source and the last known sequence number of the destination– Each node has a single sequence number which is incremented
after each detected change in the node’s neighbor set – A RREQ with an already seen packet identifier would be
discarded (duplicate RREQ)
uses sequence numbers to ensure loop-freedom and to detect out-of-date routing information
10
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Ad-hoc On-demand Distance Vector routing (AODV) sequence numbers help to:
1. avoid using old/broken routes• To determine which route is newer
2. prevent formation of loops:• How the sequence numbers can prevent loops in the rotes?
3. Example:4. A had a route to D initially: A-B-C-D5. Assume link C-D gets broken, but A does not know about failure of link C-D (because
for example the RERR (route error packet) sent by C is lost)6. Then assume node C performs a route discovery for D. 7. Node A receives the RREQ of C (for example via path C-E-A)8. Node A will generate a RREP because A knows a route to D via node B9. As the results a loop is created (C-E-A-B-C ): i.e. if C sends data packets to D using the
route that it just found, the data packets will be forwarded over and over in the loop10. If sequence numbers were used, the sequence number of the destination D in the
RREQ packet initiated by C would be greater than the one stored in the routing table of A (for the route A-B-C-D) as the second one belongs to an old route.
11
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Ad-hoc On-demand Distance Vector routing (AODV) When an intermediate node receives a RREQ:
– If the packet is duplicate packet discarded – Otherwise, if the node has no valid entry for that destination
in its routing table or has an entry with a sequence number smaller than the destination sequence number in the RREQ increment the hop count and re-broadcast the RREQ
– If it has an entry for that destination in its routing table with a sequence number at least as large as the destination sequence number in the RREQ or the node is the destination generate a RREP
When a RREQ or RREP message is received, besides processing the packet, an intermediate node would create or update a route entry for the source (in the case of receiving a RREQ) or for the destination node (in the case of receiving a RREP)
12
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Ad-hoc On-demand Distance Vector routing (AODV) a routing table entry contains the following:
– destination identifier– number of hops needed to reach the destination– identifier of the next hop towards the destination– destination sequence number– list of precursor nodes (that may forward packets
to the destination via this node)
13
Georg-August University GöttingenSecure routing in multi-hop wireless networks
AODV Route Discovery illustrated
14
A
B
C
D
E
F
G
H
A *: [RREQ, id, A, H, 0, snA, snH]B *: [RREQ, id, A, H, 1, snA, snH]C *: [RREQ, id, A, H, 1, snA, snH]D *: [RREQ, id, A, H, 1, snA, snH]E *: [RREQ, id, A, H, 1, snA, snH]F *: [RREQ, id, A, H, 2, snA, snH]G *: [RREQ, id, A, H, 2, snA, snH]
H F: [RREP, A, H, 0, sn’H]F E: [RREP, A, H, 1, sn’H]E A: [RREP, A, H, 2, sn’H]
(A, 0, -, -, snA)
(A, 0, -, -, snA)
(A, 0, -, -, snA)
(A, 0, -, -, snA)
(A, 1, D, -, snA)
(A, 1, E, -, snA)
(A, 2, F, -, snA)
(H, 0, -, E, sn’H)
(A, 1, E, H, snA)(H, 1, F, A, sn’H)
(A, 0, -, F, snA)(H, 2, E, -, sn’H)
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Proactive routing protocols
Link-state protocols:– Each node periodically broadcasts the state of its links – such messages are propagated through the whole network and
so every node gets aware of the link-state information of every other nodes and therefore the topology of the whole network
– Then centralized shortest path algorithms can be used locally at each node to calculate the shortest route to any destinations
Distance-vector based protocols– Each node periodically send its current routing table to its
neighbors– As each node receives the routing information of its neighbors,
it can use them to find better (shorter) routes to some destinations than the routes it already has in its routing table
– By repeating the routing table exchange and routing table update steps, the system would converge to a stable state, where each routing table contains correct routing information
15
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Position-based routing protocols
In position-based routing protocols there is no route discovery phase and, instead, the data packets are directed to the destination using location information available
nodes are aware of their own positions and that of their neighbors
The source node includes the position of the destination in the packet header of the data packets
The intermediate nodes would route the packet toward the destination based on their own location and the destination’s location
16
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Position-based greedy forwarding
Examples of Position-based greedy forwarding– Most Forward within Radius (MFR): the node forwards the
packet to its closest neighbor to the destination– Nearest with Forward Progress (NFP): to the nearest neighbor
among the ones closer than the forwarding node to the destination
– Compass forwarding: to the neighbor who is closest to the straight line between the forwarding node and the destination– Random forwarding: a random neighbor among the ones who are closer than the forwarding node to the destination
17
compass
MFR
NFP
source
destination
Georg-August University GöttingenSecure routing in multi-hop wireless networks
outline
1 Routing protocols for mobile ad hoc networks2 Attacks on ad hoc network routing protocols3 Security countermeasures for ad hoc network routing protocols
18
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Attacks on routing protocols
general objectives of attacks– increase adversarial control over the communications
between some nodes;– degrade the quality of the service provided by the network;– increase the resource consumption of some nodes (e.g., CPU,
memory, or energy).
adversary models– insider adversary
• Controls some nodes in the network – As the nodes in ad hoc networks are not physically protected, they
may be captured by the adversary– Such nodes are called adversarial nodes
– outsider adversary • Attacks the communication of some nodes
– Eavesdropping, jamming, injecting fabricated of replayed packets into the network
19
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Attacks on routing protocols
attack mechanisms– eavesdropping, replaying, modifying, and deleting
control packets– fabricating control packets containing fake routing
information (forgery)– fabricating control packets under a fake identity
(spoofing)– dropping data packets (attack against the
forwarding function)– wormholes and tunneling– rushing
20
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Attacks on routing protocols
types of attacks– route disruption: the adversary prevents two nodes from
discovering a route between them• E.x. if the adversary controls the nodes on the vertex-cut in the
network who drop all the control packets (route discovery packets) sent from one part of the network to the other part;
• Or if the adversary forges route error messages it can invalidate the correct routing state in the victim nodes
• In the following example, the attacker performs tunneling attack against routing protocol. It means the attacker tunnels the RREQ packet from the source to an area near the destination before the RREQ packet propagates through the network to that area.
Therefore, later when the nodes in that area receive the RREQ through the intermediate nodes, they would drop it as duplicate RREQ.
The result is that no legitimate route is discovered --> source and destination would be connected through wormhole.
21
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Example: Route disruption in DSR with rushing
22
wormhole
source
destination
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Attacks on routing protocols
– route diversion: • The adversary tries to divert routes such that they contain a
node it controls or a link it can observe• Then the adversary can modify or eavesdrop the packets sent
by the nodes• One way of diverting routes is by setting up tunnels: routes
going through the tunnel appear to be shorter, therefore:– used by many pairs of communicating nodes and the adversary can
access their communication easier – The nodes close to the end of tunnel receive lots of packets and
they should consume more resources
• Another aim of doing route diversion by the adversary could be increasing the length of discovered routes to increase latency and decrease quality of service
• Route diversion can be performed by forging or manipulating control packets, e.g. in source routing protocols the attacker can change the list of nodes on the RREP message
23
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Attacks on routing protocols
creation of incorrect routing state:– this attack aims at jeopardizing the routing state in some
nodes so that the state appears to be correct but, in fact, it is not
• data packets routed using that state will never reach their destinations
– the objective of creating incorrect routing state is • to increase the resource consumption of some nodes• the victims will use their incorrect state to forward data
packets, until they learn that something goes wrong• to degrade the quality of service
– can be achieved by • spoofing, forging, modifying, or dropping control packets
24
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Example: Creation of incorrect routing state in DSR
25
A
attackerB
C
D
E
F
G
H
A *: [RREQ, id, A, H; ()]B A: [RREP, <src route>, A, H; (D, F)]
H: (D, F)
• Route (A, D, F, H) does not exist !• The packets will be dropped when reaching the first non-existing link!
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Example: Creation of incorrect routing state in AODV
26
E (C) F: [RREP, A, H, 2, sn’H]E (D) C: [RREP, A, H, 2, sn’H]E (B) D: [RREP, A, H, 2, sn’H]E (F) B: [RREP, A, H, 2, sn’H]
(A, 0, -, -, snA)
(H, 3, C, B, sn’H)
(A, 1, B, C, snA)
A H
B
CD
E
(A, 1, B, -, snA)
(A, 1, B, -, snA)
(H, 3, B, A, sn’H)
(A, 0, -, B, snA)
F
(H, 3, D, B, sn’H)
(A, 1, B, D, snA)
(A, 0, -, -, snA)
(H, 3, F, A, sn’H)
(A, 0, -, F, snA)
• Creation of a routing loop.• Some packets will be forwarded in a cycle until their hop-count reaches the max. allowed value and then are discarded.
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Generation of extra control traffic
generation of extra control traffic:– Injecting spoofed control packets into the network– aiming at increasing resource consumption due to
the fact that such control packets are often flooded in the entire network
Position-based routing protocols seem to be more resistant to this attack, because they use no control packets– But the attacker can send forged or spoofed
location update messages to the location service which will be distributed among some nodes in the network and generate some extra control packets.
27
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Setting up a gray hole
creation of a gray hole:– an adversarial node selectively drops data packets
that it should forward– the objective is
• to degrade the quality of service– packet delivery ratio between some nodes can decrease
considerably
• to increase resource consumption– wasting the resources of those nodes that forward the
data packets that are finally dropped by the adversary
– implementation is trivial• adversarial node participates in the route
establishment• when it receives data packets for forwarding, it drops
them28
Georg-August University GöttingenSecure routing in multi-hop wireless networks
outline
1 Routing protocols for mobile ad hoc networks2 Attacks on ad hoc network routing protocols3 Security countermeasures for ad hoc network routing protocols
29
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Countermeasures
authentication of control packets
protection of mutable information in control packets
detecting wormholes and tunnels
combating gray holes
30
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Authentication of control packets
questions:– Who should authenticate the control packets?– Who should be able to verify authenticity?
control packets should be authenticated by their originators– using MACs or digital signatures by the source node
authenticity should be verifiable by the target of the control packet
moreover, each node that updates its routing state as a result of processing the control packet must be able to verify its authenticity
each node that processes and re-broadcasts or forwards the control packet must be able to verify its authenticity
as it is not known in advance which nodes will process a given control packet, we need a broadcast authentication scheme
31
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Protection of mutable information in control packets often, intermediate nodes add information to the control
packet before re-broadcasting or forwarding it (hop count, node list, etc.)
this added information is not protected by control packet origin authentication
each node that adds information to the packet should authenticate that information in such a way that each node that acts upon that information can verify its authenticity– using MACs or digital signatures by the forwarding node at each
hop:• E.g. intermediate nodes’ IDs added to the RREQ, is signed by
the node who adds that data– one problem is the increasing size of the signatures when the
number of hops increases
32
Georg-August University GöttingenSecure routing in multi-hop wireless networks
detecting wormholes and tunnels
– Tunnels are similar to wormholes• In tunneling, like in wormhole attacks, the two ends of the
attack look to be neighbors, so the effect of these two attacks on routing is similar
• In tunneling two far away adversarial nodes encapsulate control packets as normal data packets and send to each other
• They use the routing facilities of the network for sending packets
• Wormhole happens in physical layers and does not require that the adversary controls or owns nodes in the network
• In tunneling attack, the adversary should have two addressable nodes present at the routing layer
– Some wormhole detection approaches could be adopted to tunneling attacks
33
Georg-August University GöttingenSecure routing in multi-hop wireless networks
Combating gray holes
two approaches:• use multiple, preferably disjoint routes (multi-
path)– Even if the data packets can not reach the destination
through some routes they will be received using other routes– increased robustness– but also increases resource consumption
• detect and react– monitor neighbors (to see if they forward the packet they
received to forward) and identify misbehaving nodes– use routes that avoid those misbehaving nodes– For this purpose reputation reports about nodes can be
spread in the network to build trust values
34